Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 06:38
Static task
static1
Behavioral task
behavioral1
Sample
CraxsRATv7.6Cracked.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CraxsRATv7.6Cracked.exe
Resource
win10v2004-20241007-en
General
-
Target
CraxsRATv7.6Cracked.exe
-
Size
85.1MB
-
MD5
8310bdf3ac82001830f75c15fba8cc15
-
SHA1
581d729268cbd245d091633cc19692c4b5bfa0af
-
SHA256
f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
-
SHA512
ceab56619fa83baddcc3af7b781ce144ec53db919a6a80079b51e874d495e78349dc6882dad3f815c95274d8caca514765f34086f0b7acb8d42c616ca1714bf0
-
SSDEEP
49152:kDSdqvdbLqSewjI63pCESb+7sQuJwomAiyHwjfUZo+JP0D73BB681fhojkIG1l0D:
Malware Config
Extracted
xworm
45.145.41.178:1111
-
Install_directory
%AppData%
-
install_file
Windows Defender Notification.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016d42-20.dat family_xworm behavioral1/memory/2824-25-0x0000000000AA0000-0x0000000000ABA000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1964 powershell.exe 2152 powershell.exe 1556 powershell.exe 2576 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2956 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe Windows Defender Real Time Protection.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk Windows Defender Notification.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk Windows Defender Notification.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe Windows Defender Real Time Protection.exe -
Executes dropped EXE 3 IoCs
pid Process 1180 Windows Defender Real Time Protection.exe 2760 CraxsRat.exe 2824 Windows Defender Notification.exe -
Loads dropped DLL 3 IoCs
pid Process 2528 CraxsRATv7.6Cracked.exe 2528 CraxsRATv7.6Cracked.exe 2528 CraxsRATv7.6Cracked.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e75fed00639ea9e725255499292dcdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender Real Time Protection.exe\" .." Windows Defender Real Time Protection.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0e75fed00639ea9e725255499292dcdd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender Real Time Protection.exe\" .." Windows Defender Real Time Protection.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Notification.exe" Windows Defender Notification.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Defender Real Time Protection.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CraxsRATv7.6Cracked.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 2956 netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1964 powershell.exe 2152 powershell.exe 1556 powershell.exe 2576 powershell.exe 2824 Windows Defender Notification.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2824 Windows Defender Notification.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 1180 Windows Defender Real Time Protection.exe Token: SeDebugPrivilege 2824 Windows Defender Notification.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe Token: 33 1180 Windows Defender Real Time Protection.exe Token: SeIncBasePriorityPrivilege 1180 Windows Defender Real Time Protection.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2824 Windows Defender Notification.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1180 2528 CraxsRATv7.6Cracked.exe 30 PID 2528 wrote to memory of 1180 2528 CraxsRATv7.6Cracked.exe 30 PID 2528 wrote to memory of 1180 2528 CraxsRATv7.6Cracked.exe 30 PID 2528 wrote to memory of 1180 2528 CraxsRATv7.6Cracked.exe 30 PID 2528 wrote to memory of 2760 2528 CraxsRATv7.6Cracked.exe 31 PID 2528 wrote to memory of 2760 2528 CraxsRATv7.6Cracked.exe 31 PID 2528 wrote to memory of 2760 2528 CraxsRATv7.6Cracked.exe 31 PID 2528 wrote to memory of 2760 2528 CraxsRATv7.6Cracked.exe 31 PID 2528 wrote to memory of 2824 2528 CraxsRATv7.6Cracked.exe 32 PID 2528 wrote to memory of 2824 2528 CraxsRATv7.6Cracked.exe 32 PID 2528 wrote to memory of 2824 2528 CraxsRATv7.6Cracked.exe 32 PID 2528 wrote to memory of 2824 2528 CraxsRATv7.6Cracked.exe 32 PID 2760 wrote to memory of 1584 2760 CraxsRat.exe 33 PID 2760 wrote to memory of 1584 2760 CraxsRat.exe 33 PID 2760 wrote to memory of 1584 2760 CraxsRat.exe 33 PID 2824 wrote to memory of 1964 2824 Windows Defender Notification.exe 34 PID 2824 wrote to memory of 1964 2824 Windows Defender Notification.exe 34 PID 2824 wrote to memory of 1964 2824 Windows Defender Notification.exe 34 PID 2824 wrote to memory of 2152 2824 Windows Defender Notification.exe 36 PID 2824 wrote to memory of 2152 2824 Windows Defender Notification.exe 36 PID 2824 wrote to memory of 2152 2824 Windows Defender Notification.exe 36 PID 2824 wrote to memory of 1556 2824 Windows Defender Notification.exe 38 PID 2824 wrote to memory of 1556 2824 Windows Defender Notification.exe 38 PID 2824 wrote to memory of 1556 2824 Windows Defender Notification.exe 38 PID 2824 wrote to memory of 2576 2824 Windows Defender Notification.exe 40 PID 2824 wrote to memory of 2576 2824 Windows Defender Notification.exe 40 PID 2824 wrote to memory of 2576 2824 Windows Defender Notification.exe 40 PID 1180 wrote to memory of 2956 1180 Windows Defender Real Time Protection.exe 42 PID 1180 wrote to memory of 2956 1180 Windows Defender Real Time Protection.exe 42 PID 1180 wrote to memory of 2956 1180 Windows Defender Real Time Protection.exe 42 PID 1180 wrote to memory of 2956 1180 Windows Defender Real Time Protection.exe 42 PID 2824 wrote to memory of 1832 2824 Windows Defender Notification.exe 44 PID 2824 wrote to memory of 1832 2824 Windows Defender Notification.exe 44 PID 2824 wrote to memory of 1832 2824 Windows Defender Notification.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxsRATv7.6Cracked.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRATv7.6Cracked.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:2956
-
-
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 5323⤵PID:1584
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender Notification.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {438E8BA0-2F83-44A7-80B9-6D6AA9C509DC} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BSSX9EK9BEQRZ1ER4NDW.temp
Filesize7KB
MD5d6dfd6de288a9575b6172e9008628b48
SHA1c354277a7ed7bdd809a19eb00d0e9bb7749045b9
SHA256cd1af713321ca6b680647a88b11578e961356dc2eb9c5afe6aa4f93e752ceadd
SHA51269c9df610b8d8a6ee1f23e37149659871c2780c2d10572bc760050c9fd0eaf214b15d643f7f0d762eaf04205b6f64af8d022b342f68fa8f5b1fc138531b2daf5
-
Filesize
75KB
MD58d6e86e6e799c75bd5123534bdbf411b
SHA19fc526e97077ed2a5e78371fdab5ab7ecf789368
SHA2567892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888
SHA5128cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265
-
Filesize
32KB
MD5fc15fb0cec248ea16a6eda92ab97b1f8
SHA101af6a8e81a92487ed29b9706ef8c86957666a45
SHA25673e71dc70f6daeebd9a257d0b0c6e67e87c6d50b27eb94af08d15f1afb6ed02c
SHA512525dbba870aeeb38edf40a31ab36230f11b481a63e14b441dc314f40da310d936dcac1b46f05aa93bbcf511acf1375aaaea5aa0438b399ba24812bddec93d730